Op woensdag 19 juli 2017 00:26:16 UTC+2 schreef Charles Reiss: > - Digidentity Services CA - G2 (https://crt.sh/?caid=868 ; chains to > Staat der Nederlanden Root CA - G2) has issued certificates which serial > numbers that appear to be of the form 0x10000000 + sequential counter > with notBefores as recent as 8 June 2017.
Hi Charles, Many thanks for bringing this to our attention. We have looked into this matter immediately. Meanwhile the Policy Authority PKIoverheid has prohibited Digidentity (one of the Trusted Service Providers within the PKIoverheid/Staat der Nederlanden hierarchy) from issuing new certificates. After investigation it emerged that a total of 777 certificates were issued from September 30th 2016 that are not compliant with BR ballot 164 (https://cabforum.org/2016/07/08/ballot-164/) echoed by the same requirement in version 2.4 (Compliance date: February 28, 2017) from the Mozilla CA Certificate Policy. Digidentity will revoke and replace these non-compliant certificates. This wil take place on or before 31 August 2017. However this action requires the cooperation from subscribers. As you know we are in the midst of the Holiday Season so we can't completly rule out that some certificates will be replaced a couple of days after August the 31th. Nevertheless Digidentity will do her utmost to revoke and replace all certs before the 31th. As evidence that Digidentity is now compliant with regard to the certificate serial number requirement from the BR check the new issued SSL cert on this website: https://www.digidentity.eu/nl/home/ The Policy Authority PKIoverheid has judged that Digidentity can resume issuing certificates now that they are in compliance with Ballot 164 and the Mozilla CA Policy. Please let me know if you have any questions. Further questions could also be answered by my collegaues Jorik van 't Hof or Jochem van den Berge. Thanks. Regards, Mark Janssen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
